Skip to main content

Rps Include Content EUVDEUVD-2026-20298

| CVE-2026-39639 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-8mj5-q5fc-rjx2
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20298
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 6.5

DescriptionCVE.org

Missing Authorization vulnerability in redpixelstudios RPS Include Content rps-include-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RPS Include Content: from n/a through <= 1.2.2.

AnalysisAI

RPS Include Content WordPress plugin through version 1.2.2 fails to properly enforce access control, allowing authenticated users to modify content they should not have permission to alter. The vulnerability stems from missing authorization checks that validate user permissions before allowing content modifications, affecting all installations of the plugin up to and including version 1.2.2. While the CVSS score of 6.5 reflects moderate severity, the low EPSS score (0.02% percentile 4%) suggests limited real-world exploitation probability, likely due to the requirement for authenticated access and the plugin's relatively narrow user base.

Technical ContextAI

RPS Include Content is a WordPress plugin that provides functionality for including content across pages and posts. The vulnerability is classified as CWE-862 (Missing Authorization), which occurs when the application performs an action or grants access based on user input without properly verifying that the user is authorized to perform that action. In this case, the plugin fails to implement proper authorization checks on its content modification endpoints, relying on authentication alone without validating the user's specific permissions to modify the targeted content. The affected product is identified via CPE cpe:2.3:a:redpixelstudios:rps_include_content:*:*:*:*:*:*:*:*, indicating all versions through 1.2.2 are vulnerable regardless of WordPress environment or hosting configuration.

RemediationAI

Update RPS Include Content to a patched version above 1.2.2 immediately. WordPress site administrators should navigate to the Plugins section of their WordPress dashboard, locate RPS Include Content, and click Update if available. If no update is available in the dashboard, visit the plugin's official repository or redpixelstudios' website to obtain the latest patched version. As a temporary workaround pending patch availability, restrict plugin access to trusted administrator-level users only by limiting user role assignments and disabling the plugin for non-administrative users if functionality permits. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/rps-include-content/vulnerability/wordpress-rps-include-content-plugin-1-2-2-broken-access-control-vulnerability?_s_id=cve) for patch version specifics and additional guidance from the plugin developer.

Share

EUVD-2026-20298 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy